Home Decisions

Decision 179/2021

Decision 179/2021: Names and roles of specified medical staff

Public authority: Lothian Health Board
Case Ref: 202100224

Summary

NHS Lothian was asked for information regarding the treatment of a particular patient.

NHS Lothian provided some of the information, but gave notice that personal data was being withheld and that other information was not held.

The Commissioner investigated and found that NHS Lothian was entitled to withhold the personal data and that it correctly notified the Applicant that other information was not held. However, he also found that NHS Lothian did not respond to the Applicant's request for review within the timescales set down by FOISA.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Notice that information is not held); 21(1) (Review by Scottish public authority); 38(1)(a) and (b), (2A)(a), (5) (definitions of "data subject", "personal data", "processing" and "the UK GDPR") and (5A) (Personal information)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d) and (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 9 October 2020, a solicitor acting for the Applicant made a request for information to Lothian Health Board (NHS Lothian). (References to "the Applicant" in this decision include references to correspondence from the Applicant's solicitor on his behalf and to correspondence from the Applicant on his own behalf.) The information request:

  • Referred to a letter from the Western General Hospital to the Applicant's GP referencing a named doctor supervising the Applicant's care on a specified date and asked for the GP's GMC reference number, his area of expertise, and his number of years practising post qualification.
  • Asked for the name of the consultant under whom the Applicant would have been under the care on a specified date, while at the Western General Hospital.
  • Asked for the GMC reference number and name of the on-call cardiology registrar directing the Applicant's care on a specified date.
  • Referred to previous correspondence from NHS Lothian stating it holds no records for the Applicant during a specified 34 hour period. It noted that, during this time, there will have been doctors key to his care and requested and asked for the names of the consultants responsible for the Applicant; the breakdown of timings for his care during this period; the name of the Lead or Named consultant who assessed the Applicant as clinically ready for discharge; the name of the doctor responsible for the Applicant's discharge process and, if not a consultant, their GMC reference number.
  • Noted that the Applicant's Echocardiogram was performed and reported on by the same person on a specific date. It requested this person's professional qualifications, professional accreditations and training in relation to performing and reporting on Echocardiograms.
  • Referred to a period during which the Applicant progressed to near death while in the care of NHS Lothian. The Applicant understood that, given the severity of the incident and given the time which had elapsed, NHS Lothian would have completed its report to comply with The Duty of Candour Procedure (Scotland) Regulations 2018 and asked for a copy of this report.
  • Named an NHS Lothian consultant and asked for his detailed vacation times and private clinic times during a specified time period.

2. NHS Lothian responded on 13 November 2020. It notified the Applicant that information falling under the scope of request A was available via the GMC website (and so it was exempt under section 25(1) of FOISA). NHS Lothian also advised the Applicant that it was withholding information falling under the scope of requests B, C, D and G under section 38(1)(b) of FOISA, on the basis that the information was only contained in the Applicant's medical records. NHS Lothian also notified the Applicant that it did not hold any information falling within the scope of requests E and F.

3. On 19 November 2020, the Applicant wrote to NHS Lothian requesting a review of its decision on the basis that he did not accept any of the arguments it had made in its original response to his requests. To summarise, the Applicant:

  • Argued that it was not possible to identify the GP referred to in A from the GMC website
  • Noted that he had already received his medical records and that the information requested in B, C, D and G was not in those records
  • Questioned whether NHS Lothian did in fact hold information for E and F

4. NHS Lothian notified the Applicant of the outcome of its review on 12 February 2021. It apologised for the delay in responding and provided the Applicant with some information falling within the scope of requests A, B, C, D and G. NHS Lothian maintained that it did not hold information falling within the scope of requests E and F, and it notified the Applicant that it also did not hold some of the information asked for in request G. NHS Lothian continued to withhold some information falling within the scope of requests C and D under section 38(1)(b) of FOISA.

5. On 21 February 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of NHS Lothian's review because it did not respond to his requirement for review within 20 working days, and because he was dissatisfied with its response to requests C, D, E, F and G. The Applicant did not accept that NHS Lothian did not hold information falling within the scope of request G, and he argued that he should be provided with the information being withheld in requests C and D.

6. The Applicant also expressed dissatisfaction with the response to requests E and F, but given that the matters giving rise to his dissatisfaction were not related to the handling of the requests under FOISA, these cannot be considered by the Commissioner. (The Applicant was notified of this fact.)

Investigation

7. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

8. On 22 March 2021, NHS Lothian was notified in writing that the Applicant had made a valid application and the case was allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Lothian was invited to comment on this application and to answer specific questions. These related to its decision to withhold personal data under section 38(1)(b) of FOISA, and its contention that it did not hold some of the information requested by the Applicant.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and NHS Lothian. He is satisfied that no matter of relevance has been overlooked.

Section 17 - Information not held

11. In terms of section 1(4) of FOISA, the information to be provided in response to a request under section 1(1) is that falling within the scope of the request and held by the authority at the time the request is received, subject to certain qualifications which are not applicable in this case. Under section 17(1) of FOISA, where an authority receives a request for information it does not hold, it must give the applicant notice in writing to that effect.

12. In its review outcome, in response to request G, NHS Lothian gave the Applicant notice, in terms of section 17(1) of FOISA, that it did not hold the private clinic times for a named consultant during a specified time period.

13. The Applicant did not accept that this information was not held. He argued that, within NHS Lothian's cardiology department, consultants and other doctors are aware that cardiology consultants leave their contracted NHS duties to attend pre-arranged private clinics. Given this, he contended that NHS Lothian should hold this information as it occurs during NHS Lothian contracted hours. The Applicant offered more specific information to assist NHS Lothian in locating the information he sought in request G.

14. NHS Lothian submitted that the named consultant did not use NHS Lothian systems in relation to private clinics and it asserted that private clinics do not occur during an individual's contracted hours.

15. NHS Lothian explained that private clinics are not run on NHS sites and it therefore does not have a schedule of private clinics operating on its premises to draw on. NHS Lothian noted that this is different to how some NHS Trusts operate in England who do operate private consulting rooms on site and therefore would have such a schedule.

16. NHS Lothian submitted that consultant job plans indicate when an NHS consultant works for NHS Lothian and when they do not. NHS Lothian does not specify or determine when in their time outside of NHS contracted commitments, consultants do their private work as that is a relationship between the consultant and the private employer, provided they meet the requirements of the NHS Scotland Consultant Contract Terms & Conditions.

17. NHS Lothian were asked to confirm whether consultants were contractually or otherwise obliged to tell them if they were undertaking private work and, if so, whether there was a record of the times worked elsewhere.

18. In response, NHS Lothian provided the Commissioner with information about the software system they use to record which consultant are undertaking private practice. It explained that it can run an excel report which will show who is undertaking private practice, and that the system counts the hours they work.

19. NHS Lothian submitted that, if consultants specify that they carry out their private practice at a specific time, on a specific day, it can capture this information in a report too. However, if consultants annualise the time spent on private practice, then NHS Lothian would only be able to say how much time they spent on private practice on an average week.

20. NHS Lothian submitted that, while the named consultant has since retired, it looked at his last job plan before he left and it does state that he undertook private practice. However, it explained that the functionality of the system for consultants to record their private practice was only introduced with the launch of the new version of the software in December 2020. Prior to that, NHS Lothian would have had to interrogate each individual job plan, and it contended that this would have been too time consuming and it would not have responded to an information request in that case. NHS Lothian submitted that the named consultant's details for the period requested were not on the system.

21. NHS Lothian provided the Commissioner with excerpts from policies on its intranet regarding on-call and private practice, and it stressed that there was no obligation for consultants to record specific individual private sessions.

22. NHS Lothian reiterated that it did not hold a record of private clinic times, nor was it required to hold it. It explained that the contract stipulates that NHS Lothian agrees when and where consultants will deliver activity for the employer (through the agreed job plan) and that consultants must inform NHS Lothian if they intend to carry out private practice. NHS Lothian submitted that there was also a requirement for consultants to ensure that there is no perceived or actual conflict of interest between their NHS work and their private practice.

23. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining whether a Scottish public authority holds information, the Commissioner will consider the scope, quality, thoroughness and results of the searches carried out by the public authority. He will also consider, where appropriate, any reason offered by the public authority to explain why the information is not held.

24. Having considered all the relevant submissions, the Commissioner accepts that NHS Lothian did not hold the information at the time of the request. The Commissioner is satisfied that the software system used to record private practice now was not in place during the time period specified and that there was no obligation on the named consultant to provide NHS Lothian with the specific times and locations that he was carrying out private practice. The Commissioner has no reason to doubt NHS Lothian's explanation of the information held at the time of the request. The Commissioner, therefore, finds that NHS Lothian complied with Part 1 of FOISA in notifying the Applicant that no information was held under section 17(1) of FOISA in responding to this part of the request.

Section 38(1)(a) - Personal information

25. In its review outcome, NHS Lothian advised the Applicant that the information in request D was exempt from disclosure under section 38(1)(b) of FOISA, on the grounds that it comprised third party personal data. In submissions to the Commissioner, NHS Lothian submitted that it had reached this view as the request was made by a solicitor, on behalf of the Applicant, and the solicitor had not provided it with a personal data mandate. During the investigation, when NHS Lothian was satisfied that the Applicant was pursing matters in his own name, it also applied the exemption contained in section 38(1)(a) of FOISA to the information being withheld in request D, on the grounds that it was the Applicant's own personal data.

26. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which an applicant is the data subject. The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1) of FOISA.

27. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data under the UK GDPR (or, where appropriate, under the DPA 2018). This route is more appropriate for individuals accessing their personal data, as it ensures that it is disclosed only to the individual. Information disclosed under FOISA is considered to be disclosed into the public domain. Section 38(1)(a) does not deny individuals a right to access information about themselves, but ensures that the right is exercised under the correct legislation (the GDPR) and not under FOISA.

28. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the GDPR:

"… any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

29. The definition of personal data is also set out in full in Appendix 1.

Is the information the Applicant's own personal data?

30. As explained above, NHS Lothian submitted that it originally withheld the information falling within the scope of request D under section 38(1)(b) of FOISA, as the solicitor who acted on the Applicant's behalf had not provided it with a data protection mandate from the Applicant. In addition, the information captured by request D comprised the personal data of junior members of staff providing care.

31. NHS Lothian acknowledged that the Applicant is now representing himself in this process, and as such it was now seeking to rely on the exemptions in section 38(1)(a) and (b) of FOISA to withhold the information from him.

32. When setting out its reasons for considering the information to be exempt under section 38(1)(a) of FOISA, NHS Lothian explained that the information requested relates specifically to the Applicant's care and treatment. It submitted that the level of detail requested by the Applicant was only available from his medical record and it noted that this has already been provided to the Applicant (three times) under the UK GDPR, where it was treated as a subject access request. NHS Lothian explained that the information is patient/staff specific and identifiable, and in order for this to be provided it has to be extracted from the Applicant's medical record. For these reasons, NHS Lothian argued that the information falls under the exemption contained in section 38(1)(a) of FOISA.

33. The Commissioner has carefully considered the information that falls within the scope of the Applicant's request and the submissions received. It is apparent that the information in question relates to the medical treatment of the Applicant, and that it is contained within the Applicant's own medical records. It is clear that the Applicant can be identified from the information and, while the information also comprises third party personal data of named medical staff (who treated the Applicant) in the circumstances, the Commissioner is satisfied that the information is entirely the Applicant's own personal data. That being the case, the Commissioner finds that NHS Lothian is entitled to withhold the information under section 38(1)(a) of FOISA.

34. As noted above, NHS Lothian had originally withheld this information under section 38(1)(b) of FOISA, and it is still relying on that exemption as well as the exemption contained in section 38(1)(a) of FOISA. As the Commissioner has concluded that all of the withheld information comprises the Applicant's own personal data, he must find that the correct exemption in this case is section 38(1)(a) and he will not go on to consider the application of section 38(1)(b) of FOISA.

35. The Commissioner's remit extends only to the consideration of whether a Scottish public authority has complied with Part 1 of FOISA in responding to a request. The Commissioner cannot comment on whether a Scottish public authority should provide information to an applicant under any other rights or legislation. The Applicant has been advised that it is the UK Information Commissioner's Office (the ICO) which is responsible for the DPA and, should it be necessary, that he can make contact with the ICO in order to seek advice in relation to access to his personal data.

Section 38(1)(b) - Personal information

36. In request C, the Applicant asked for the name and GMC reference number of the on-call cardiology registrar who directed his care. NHS Lothian provided the Applicant with the name and GMC number of the consultant, but it withheld the name and GMC number of the on-call STR3 (Specialist Trainee Doctor) under section 38(1)(b) of FOISA, on the basis that the STR3 was not sufficiently senior.

37. Section 38(1)(b), read in conjunction with section 38(2A)(a) (or (b)), exempts information from disclosure if it is "personal data", as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.

Is the information personal data?

38. "Personal data" is defined in section 3(2) of the DPA 2018 as "any information relating to an identified or identifiable living individual". Section 3(3) of the DPA 2018 defines "identifiable living individual" as "a living individual who can be identified, directly or indirectly, in particular with reference to -

  • an identifier such as a name, an identification number, location data or an online identifier, or
  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual."

39. The name and/or GMC reference number of the individual who directed the Applicant's care while in hospital clearly relates to a living individual, who could be identified by its disclosure. Given this, the Commissioner is satisfied that the information captured by the request is personal data as defined in section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

40. NHS Lothian argued that disclosing the personal data, would breach the first data protection principle. This requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject" (Article 5(1)(a) of the GDPR).

41. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018), "disclosure by transmission, dissemination or otherwise making available". In the case of FOISA, personal data are processed when disclosed in response to a request. This means that the personal data could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.

Lawful processing: Articles 6(1)(f) of the GDPR

42. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data to be disclosed.

43. NHS Lothian did not accept that there was any article in the UK GDPR which could allow disclosure of the information.

44. The Commissioner considers that condition (f) of Article 6(1) of the UK GDPR is the only condition which could apply in the circumstances. This states that processing shall be lawful if it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

45. Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

46. The tests which must be met before Article 6(1)(f) can be met are as follows:

i) Would the Applicant have a legitimate interest in obtaining personal data, if held?

ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Would the Applicant have a legitimate interest in obtaining the personal data, if held?

47. NHS Lothian noted that it was not its policy to disclose the names of junior members of staff.

48. It did not accept that the Applicant had a legitimate interest in obtaining the personal data. It argued that there was a named consultant responsible for the Applicant's care, and his name and GMC reference number has been disclosed.

49. The Commissioner disagrees. In his view it is reasonable for the Applicant to want know the names of all of the medical staff who treated him during this period, particularly the on-call registrar. The Commissioner is satisfied that obtaining this personal data would be matters of legitimate interest to the Applicant. The Commissioner is also satisfied that this legitimate interest would extend to the wider public interest, in being satisfied that NHS Lothian practices openness and transparency when patients have concerns about the treatment they received. Overall, the Commissioner is satisfied that the Applicant has a legitimate interest in obtaining the personal data.

Would disclosure be necessary?

50. The next question is whether the disclosure of personal data would be necessary to achieve that legitimate interest. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant's legitimate interests could reasonably be met by means which interfered less with the privacy of the data subject.

51. In the Commissioner's view, the only way the Applicant's legitimate interest could be met would be by viewing the information he has requested. Only then would he be able to understand who was directly involved in the decision making regarding his care. The Commissioner notes that no policy or procedure has been brought to his attention by either NHS Lothian or the Applicant that might offer another way for the Applicant to be able to know who conducted his care.

52. Having considered the scope of the Applicant's request, the Commissioner accepts that disclosure of the personal data is necessary to achieve the Applicant's legitimate interests.

The data subject's interests or fundamental rights and freedoms (and balancing exercise)

53. The Commissioner has concluded that the disclosure of the information is necessary to achieve the Applicant's legitimate interests. However, this must be balanced against the fundamental rights and freedoms of the data subjects (the on-call registrar described by the Applicant). Only if the legitimate interests of the Applicant outweighed those of the data subject could personal data be disclosed without breaching the first data protection principle.

54. The Commissioner has considered the submissions from both parties carefully, in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 555[1].

55. The Commissioner's guidance[2] on section 38 of FOISA notes that, in carrying out the balancing exercise, much will depend on the reasonable expectations of the data subjects. Factors which will be relevant in determining reasonable expectations include:

i) whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

ii) the potential harm or distress that may be caused by disclosure

iii) whether the individual objected to the disclosure.

56. The Commissioner agrees with NHS Lothian that the medical professional with overarching care for patients during the Applicant's stay in hospital is the consultant and not the junior member of staff who was on-call at that time. The Commissioner notes that the Applicant has been provided with the consultant's name and GMC number and he agrees that details of junior staff members is generally information that an individual would expect to be withheld in response to a request made under FOI. The Commissioner acknowledges that there are other scenarios where that information may be lawfully disclosed, such as during official legal proceedings, but in terms of FOISA, he considers that the junior staff member would have a reasonable expectation that their name would be withheld.

57. The Commissioner has also considered the potential harm or distress that could be caused by disclosure of the information. Disclosure under FOISA is a public disclosure. At the most general level, alleging or suggesting a poor level of care is likely to cause some reputational damage to the junior staff member.

58. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental rights or freedoms of the data subject, the Commissioner finds that the legitimate interests served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individual in question in this case.

59. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the withheld personal data.

Fairness and transparency

60. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject.

Conclusion on the data protection principles

61. For the reasons set out above, the Commissioner is satisfied that disclosure of the name and/or GMC reference number of the on-call registrar would breach the data protection principle in Article 5(1)(a) of the UK GDPR. The Commissioner therefore finds that the personal data is exempt from disclosure under section 38(1)(b) of FOISA.

Timescale for compliance

62. Section 21(1) of FOISA gives authorities a maximum of 20 working days after receipt of the requirement for review to comply, subject to qualifications that are not relevant in this case.

63. NHS Lothian notified the Applicant of the outcome of its review almost three months after receipt of the requirement for review.

64. Therefore, the Commissioner must find that in this respect NHS Lothian failed to comply with section 21(1) of FOISA.

65. As noted above, NHS Lothian acknowledged this late response in its review outcome and apologised.

Decision

The Commissioner finds that Lothian Health Board (NHS Lothian) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

The Commissioner finds that by correctly withholding personal data under sections 38(1)(a) and (b) of FOISA and by giving the Applicant notice, under section 17(1) of FOISA, that some information was not held, NHS Lothian complied with Part 1.

However, by failing to respond to the Applicant's requirement for review within 20 working days, NHS Lothian failed to comply with Part 1. The Commissioner does not require NHS Lothian to take any action in respect of this failure in response to the Applicant's application.

Appeal

Should either the Applicant or NHS Lothian wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
5 November 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

21 Review by Scottish public authority

(1) Subject to subsection (2), a Scottish public authority receiving a requirement for review must (unless that requirement is withdrawn or is as mentioned in subsection (8)) comply promptly; and in any event by not later than the twentieth working day after receipt by it of the requirement.

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"personal data" and "processing" have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

"the UK GDPR" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available,

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided -

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.

[1] https://www.supremecourt.uk/cases/docs/uksc-2012-0126-judgment.pdf

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx